How to stop journalctl showing audit logs and only keep them in file?
I would like to have all auditd logs only in it's own log file and keep my journalctl view less polluted with events that most of the time, are generated by my own actions (single-user/personal computer).
I've found how to either completely disable auditd or disable journal logging of audit events (?) on arch wiki, then I had a look at auditd.conf where there actually is a log_file option filled in but the file it points at does not exist and everything is simply logged into journal.
# /etc/audit/auditd.conf
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /usr/bin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
# ...
It seams that systemd-journald-audit has a priority over audit events, my first idea was to use rsyslog rules but it seems rsyslog is not used on Manjaro.
So, how can I stop seeing audit events in journal[ctl] and have them only logged into a specific file?
I did my homework and got everything logged into a file and not into syslog/journal.
From what it seems, by default systemd setups it's own listener for kernel's audit events and logs them into syslog/journal.
The other alternative is using auditd to read these events and log them into a configurable log file.
Disable systemd's audit events logging:
systemctl stop systemd-journald-audit.socket
systemctl disable systemd-journald-audit.socket
# masking will prevent starting by other services
# 'systemctl unmask' to reverse
systemctl mask systemd-journald-audit.socket
The audit events might still get logged into journal until you reboot.
Setup auditd
Install or make sure auditd package is installed, might be named differently depending on your distro, audit for Manjaro.
Configuration file
Location of the auditd.conf seems to differ (online manpage has a different location), see your man auditd.conf.
Following configuration should do the trick, make sure /var/log/audit/ exists.
# /etc/audit/auditd.conf
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 5 # after how many messages to explicitly flush
max_log_file = 8 # size in MB per one log file
num_logs = 5 # keep n amount of rotated logs
# ... truncated
This file already existed on my system with some sane defaults but these seem to be the most important options for logging. You should consult your manpage if it doesn't exist, one of the other probably important options is dispatcher=, for if you are using audit rules (audispd, /etc/audit/rules.d/).
Systemd unit for auditd
With the auditd package comes its own systemd unit file located in
/usr/lib/systemd/system/auditd.service. There are a few comments in the
service file, make sure to read it to check if they apply.
Copy that file to /etc/systemd/system/auditd.service, then issue
systemctl daemon-reload
systemctl start auditd.service
systemctl enable auditd.service # will be auto started with system
This all applies to my system, which is Manjaro 5.9.10-1 kernel with systemd 246 and audit version 2.8.5.
The systemd unit for logging audit events into syslog/journal might be named differently, as well as the existence of auditd unit file and it's configuration path might be different in other distros.